• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/usr/bin/env python
2#
3# Copyright (C) 2019 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9#      http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17"""
18Signs a standalone APEX file.
19
20Usage:  sign_apex [flags] input_apex_file output_apex_file
21
22  --avbtool <avbtool>
23      Optional flag that specifies the AVB tool to use. Defaults to `avbtool`.
24
25  --container_key <key>
26      Mandatory flag that specifies the container signing key.
27
28  --payload_key <key>
29      Mandatory flag that specifies the payload signing key.
30
31  --payload_extra_args <args>
32      Optional flag that specifies any extra args to be passed to payload signer
33      (e.g. --payload_extra_args="--signing_helper_with_files /path/to/helper").
34
35  -e  (--extra_apks)  <name,name,...=key>
36      Add extra APK name/key pairs. This is useful to sign the apk files in the
37      apex payload image.
38
39  --codename_to_api_level_map Q:29,R:30,...
40      A Mapping of codename to api level.  This is useful to provide sdk targeting
41      information to APK Signer.
42
43  --sign_tool <sign_tool>
44      Optional flag that specifies a custom signing tool for the contents of the apex.
45
46  --container_pw <name1=passwd,name2=passwd>
47      A mapping of key_name to password
48"""
49
50import logging
51import shutil
52import re
53import sys
54
55import apex_utils
56import common
57
58logger = logging.getLogger(__name__)
59OPTIONS = common.OPTIONS
60
61
62def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
63                 apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None, container_pw=None):
64  """Signs the given apex file."""
65  with open(apex_file, 'rb') as input_fp:
66    apex_data = input_fp.read()
67
68  return apex_utils.SignApex(
69      avbtool,
70      apex_data,
71      payload_key=payload_key,
72      container_key=container_key,
73      container_pw=container_pw,
74      codename_to_api_level_map=codename_to_api_level_map,
75      no_hashtree=no_hashtree,
76      apk_keys=apk_keys,
77      signing_args=signing_args,
78      sign_tool=sign_tool,
79      is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name))
80
81
82def main(argv):
83
84  options = {}
85
86  def option_handler(o, a):
87    if o == '--avbtool':
88      options['avbtool'] = a
89    elif o == '--container_key':
90      # Strip the suffix if any, as common.SignFile expects no suffix.
91      DEFAULT_CONTAINER_KEY_SUFFIX = '.x509.pem'
92      if a.endswith(DEFAULT_CONTAINER_KEY_SUFFIX):
93        a = a[:-len(DEFAULT_CONTAINER_KEY_SUFFIX)]
94      options['container_key'] = a
95    elif o == '--payload_key':
96      options['payload_key'] = a
97    elif o == '--payload_extra_args':
98      options['payload_extra_args'] = a
99    elif o == '--codename_to_api_level_map':
100      versions = a.split(",")
101      for v in versions:
102        key, value = v.split(":")
103        if 'codename_to_api_level_map' not in options:
104          options['codename_to_api_level_map'] = {}
105        options['codename_to_api_level_map'].update({key: value})
106    elif o in ("-e", "--extra_apks"):
107      names, key = a.split("=")
108      names = names.split(",")
109      for n in names:
110        if 'extra_apks' not in options:
111          options['extra_apks'] = {}
112        options['extra_apks'].update({n: key})
113    elif o == '--sign_tool':
114      options['sign_tool'] = a
115    elif o == '--container_pw':
116      passwords = {}
117      pairs = a.split()
118      for pair in pairs:
119        if "=" not in pair:
120          continue
121        tokens = pair.split("=", maxsplit=1)
122        passwords[tokens[0].strip()] = tokens[1].strip()
123      options['container_pw'] = passwords
124    else:
125      return False
126    return True
127
128  args = common.ParseOptions(
129      argv, __doc__,
130      extra_opts='e:',
131      extra_long_opts=[
132          'avbtool=',
133          'codename_to_api_level_map=',
134          'container_key=',
135          'payload_extra_args=',
136          'payload_key=',
137          'extra_apks=',
138          'sign_tool=',
139          'container_pw=',
140      ],
141      extra_option_handler=option_handler)
142
143  if (len(args) != 2 or 'container_key' not in options or
144      'payload_key' not in options):
145    common.Usage(__doc__)
146    sys.exit(1)
147
148  common.InitLogging()
149
150  signed_apex = SignApexFile(
151      options.get('avbtool', 'avbtool'),
152      args[0],
153      options['payload_key'],
154      options['container_key'],
155      no_hashtree=False,
156      apk_keys=options.get('extra_apks', {}),
157      signing_args=options.get('payload_extra_args'),
158      codename_to_api_level_map=options.get(
159          'codename_to_api_level_map', {}),
160      sign_tool=options.get('sign_tool', None),
161      container_pw=options.get('container_pw'),
162  )
163  shutil.copyfile(signed_apex, args[1])
164  logger.info("done.")
165
166
167if __name__ == '__main__':
168  try:
169    main(sys.argv[1:])
170  finally:
171    common.Cleanup()
172